github getnora-io/nora v0.8.0
on GitHub

5 hours ago

What's new

Features

  • Hash Pin Store — content-addressable integrity verification for all stored artifacts. Every published artifact gets a pinned SHA256 hash on first write; subsequent uploads with the same key are rejected if the hash differs. NDJSON persistence across restarts (#229)
  • Trusted proxy supportNORA_AUTH_TRUSTED_PROXIES accepts CIDR ranges (e.g. 10.0.0.0/8,172.16.0.0/12) for correct client IP extraction from X-Forwarded-For (#230)
  • Cache-Control headers — proper HTTP caching directives for proxy registries (Docker, Maven, npm, Cargo, PyPI, Go, Pub, Raw). Immutable artifacts get max-age=31536000, immutable; mutable metadata gets short TTL (#230)
  • Auth rate limiting — per-IP exponential backoff on failed authentication (5 failures → lockout 1s→15min cap, 429 Too Many Requests + Retry-After) (#229)
  • Version consistency gatescripts/pre-commit-check.sh validates Cargo.toml, OpenAPI spec, and Cargo.lock versions match before every commit. Enforced in release pipeline — prevents version mismatch bugs (#224, #225)
  • GOVERNANCE.md and ROADMAP.md — project governance model (Benevolent Dictator) and public feature roadmap (#228)

Bug Fixes

  • Docker proxy timeout — default timeout raised from 60s to 300s. Large image pulls (multi-GB layers) no longer time out on slow connections. Configurable via NORA_DOCKER_PROXY_TIMEOUT=300 (#233)
  • Unicode path validation — non-ASCII characters in Maven/Raw upload paths now return 400 Bad Request instead of 500 Internal Server Error (#234)
  • S3 paginated listing — storage size calculation now correctly handles buckets with >1000 objects (#230)
  • Docker temp file cleanup — upload temp files are removed on failure instead of accumulating on disk (#230)
  • Docker publish_locks eviction — automatic cleanup of stale upload locks that could block re-uploads after crashes (#230)
  • OpenAPI schema deduplication — removed 8 duplicate type definitions from API docs (#227)
  • OpenAPI status codes — documented 400/409/413/422/503 responses that the API already returns (#235)

Security

  • Curation bypass token — constant-time comparison using subtle crate, prevents timing side-channel attacks (#230)
  • Curation completeness — all 13 registries pass through curation policy checks consistently (#230)

Stats

  • 908 tests (was 851 in v0.7.2)
  • Docker image: ghcr.io/getnora-io/nora:0.8.0 / getnora/nora:0.8.0
  • Helm chart: v0.3.4 (update appVersion to 0.8.0 in your values)

Install

docker pull getnora/nora:0.8.0

Or download the binary: 

curl -LO https://github.com/getnora-io/nora/releases/download/v0.8.0/nora-linux-amd64
chmod +x nora-linux-amd64
sudo mv nora-linux-amd64 /usr/local/bin/nora

Upgrade from v0.7.x

Drop-in replacement. No config changes required. New features are opt-in: 

# Set trusted proxies if behind a load balancer (optional)
NORA_AUTH_TRUSTED_PROXIES=10.0.0.0/8
Check out latest releases or
releases around getnora-io/nora v0.8.0

Don't miss a new nora release

NewReleases is sending notifications on new releases.

Get notifications